The latest in the list of high profile vulnerabilities, POODLE, has been announced. While it is highly unlikely that any of our customers would be effected by this we have changed the configuration on all the servers this morning to prevent any possible exploitation of this problem. This only effects secure server protocols and has the possibility of allowing the secure key to be read, allowing a third party to potentially read data being transferred between the browser and server. Many browsers are already being updated to prevent this so updating the servers is more of an insurance against future exploits and older browsers.
The changes made should also prevent any related vulnerabilities that may come to light later on.
The fix means the removal of support for the effected security protocol which also means that supporting old browsers over secure links may no longer be possible. Specifically this will effect end users using IE 6 on a version of Windows XP that has not been patched to SP 3.
Shellshock (also known as Bashdoor) is an exploit that potentially allows attackers to run commands on vulnerable servers. The risks are still being analysed but currently the risk for our servers seems to be very low.
In order to exploit the bug the attacker needs to influence a server process that is running the Bash command shell. The most obvious way to exploit this on one of our web servers would be through the use of a Bash cgi script which, fortunately, none of our clients use.
The servers have been patched against this exploit (actually now a collection of different exploits) up to the latest identified weakness – CVE-2014-7187 and we will continue to monitor the situation and apply any further patches as and when they become available.
All our servers have been patched to OpenSSL version 1.0.1e to ensure that the servers and our clients’ sites are protected from the Heartbleed exploit.
As part of the ongoing upgrades to our server infrastructure the mail server will be moved to a different server environment on Sunday 2nd February. Mail services are likely to be temporarily interrupted during the change over period. It is anticipated that any outages will be limited to a couple of hours late on Sunday night.
The server move was carried out this morning and all services are back up and running.
The effected server was unavailable for just over 2 hours 20 minutes, from approximately 6.30 am this morning to shortly before 9am. Apologies for any disruption caused.
Sites on UK and European based servers were unaffected.